\documentclass[11pt]{article}
%% \topmargin -1.5cm        % read Lamport p.163
%% \oddsidemargin -0.04cm   % read Lamport p.163
%% \evensidemargin -0.04cm  % same as oddsidemargin but for left-hand pages
%% \textwidth 16.59cm
%% \textheight 21.94cm 
%$ %\pagestyle{empty}       % Uncomment if don't want page numbers
\parskip 7.2pt           % sets spacing between paragraphs
%% %\renewcommand{\baselinestretch}{1.5} % Uncomment for 1.5 spacing between lines
\parindent 0pt		 % sets leading space for paragraphs

\usepackage{fullpage}
\usepackage{listings} % For source code
\usepackage[usenames,dvipsnames]{color} % For colors and names
\usepackage[pdftex]{graphicx}
\usepackage{subfigure}
\usepackage{enumerate}

%\documentclass{article}
\usepackage{amssymb,amsmath}

\newcommand{\superscript}[1]{\ensuremath{^{\textrm{#1}}}}
\newcommand{\subscript}[1]{\ensuremath{_{\textrm{#1}}}}

\definecolor{mygrey}{gray}{.96} % Light Grey
\lstset{ 
        language=[ISO]C++,              
        tabsize=3,                                                     
        basicstyle=\tiny,               
        numbers=left,                   
        numberstyle=\tiny,              
        stepnumber=2,                   
        numbersep=5pt,                  
        backgroundcolor=\color{white}, 
        %showspaces=false,              
        %showstringspaces=false,        
        %showtabs=false,                
        frame=single,                    
        tabsize=3,                          
        captionpos=b,                   
        breaklines=true,                
        breakatwhitespace=false,        
        %escapeinside={\%*}{*)},        
        commentstyle=\color{BrickRed}   
}

\title{Northeastern University \\
  Department of Computer Science \\
  - \\
  CS4740 \\
  Host Hardening Lab
}
\date{\today}
\author{
  TA: Aldo Cassola \\
  Paul Ozog \\
  Andrew Lai \\
  Saumitro Dasgupta
}

\begin{document}

\begin{titlepage}
  \maketitle
  \thispagestyle{empty}
\end{titlepage}

\section*{Team Member Contributions}
\begin{itemize}
\item Paul Ozog was the primary author of this report and handled the administrative tasks for the GNU/Linux and Windows servers.
\item Andrew and Saumitro were available for conceptual help for the ``End of Lab'' questions (following sections).
\end{itemize}

\section*{Problem 1}
The two services we disabled were \texttt{avahi-daemon} and \texttt{sendmail}:
\begin{itemize}
  \renewcommand{\labelitemi}{$\cdot$}
\item \texttt{sendmail} is service that delivers messages over the Internet; it was initially developed in the 1980's when security was not nearly as big of a concern as it is today.  There have been many vulnerabilities of sendmail, some of which sprang up within the last couple of years.  This service provides an unnecessary security risk, so we disabled it.

\item \texttt{avahi-daemon} is described by the website www.avahi.org as follows:

{\it ``Avahi is a system which facilitates service discovery on a local network. This means that you can plug your laptop or computer into a network and instantly be able to view other people who you can chat with, find printers to print to or find files being shared.''}

These abilities are normally popular for owners of laptops that are casually connected in and out of LANs - not administrators of secure servers.  Therefore, it's obvious that this service should be disabled.  

\end{itemize}

\section*{Problem 2}
An attacker can send a storm of ``Daytime'' requests to a target Windows server running ``Simple TCP/IP Services.''  Because there is no handshaking in UDP, an attacker can generate and send a very large number of phony requests, using much of the target system's resources.

To do considerable damage with just one packet, an attacker can send a ``Daytime'' request to a target, while spoofing the sender's address with another host that serves the ``Echo'' TCP/IP Service.  As a result, the target will keep on serving ``Daytime'' requests infinitely many times, using valuable network and computing resources.

\section*{Problem 3}
The following security vulnerabilities are associated with fully enabled NULL sessions.
\begin{itemize}
  \renewcommand{\labelitemi}{$\cdot$}
\item An attacker can indirectly (or directly) obtain usernames, passwords, groups, and shared folders.
\item Privilege escalation: This is made even easier by lazy owners of Windows 2003 Server who leave the Administrator password unset.
\item DoS: The following SMB vulnerability is described by IBM Internet Security Systems (www.iss.net):

  {\it ``A remote attacker can cause a vulnerable system to crash by sending a
specially crafted SMB packet to an open NetBIOS port (TCP port 139).
These ports are typically filtered on outward facing Internet servers. 
This vulnerability poses a significant DoS risk to unprotected home or
small/medium size business servers, or any servers not protected by basic
protection systems...''}

\end{itemize}

\section*{Problem 4}
The attacker would have to break the cryptographic secret function used to create the SYN cookie.  This value depends on the server's IP address and port number, the client IP address and port number, and a reasonably recent timestamp.  

In other words, if the attacker were to send an ACK packet with a bogus Acknowledgment Number, the server can decrypt data contained in the packet to see if it results in a valid queued SYN entry.  If the attacker used random bits for the Acknowledgment Number, the chances that he/she can spawn a valid TCP connection are negligible.

\section*{Problem 5}
The drawbacks of DoS protection using SYN cookies are:
\begin{enumerate}
\item The Maximum Segment Size (MSS) field of the cookie only uses three bits, so there are only eight possible values for the MSS.
\item The host computer uses more computing resources to carry out a TCP handshake (however, it should be noted that the use of SYN cookies only occurs when the system is under DoS attack).
\item In the off chance that the client's final ACK packet is not received at the server (due to corruption in the channel), that connection freezes.  According to the \texttt{http://cr.yp.to/syncookies/archive} mailing list: even if the probability of failed packets is extremely high at .50, the probability of a frozen connection is approximately .02.
\item TCP options contained in the original SYN packet are discarded when the packet is deleted.  When the server reconstructs the SYN packet, there is no way to determine what, if any, options or flags were originally present.
\end{enumerate}

\section*{Problem 6}
We set the registry value SynAttackProtect to 2 beneath the key:

\begin{verbatim}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TcpIp\Parameters
\end{verbatim}

We used the Microsoft Developer Network (MSDN) recommendations for most of registry options for SynAttackProtect.  Except we cut down the number of TcpMaxHalfOpen and TcpMaxHalfOpenRetried down by an order of magnitude, since we do not expect much traffic on our virtual machine:
\begin{itemize}
\item TcpMaxPortsExhausted : 5
\item TcpMaxHalfOpen : 50
\item TcpMaxHalfOpenRetried : 40
\item TcpMaxConnectResponseRetransmissions : 3
\item TcpMaxDataRetransmissions : 2
\item EnablePMTUDiscovery : 0
\item KeepAliveTime : 300000
\end{itemize}



\end{document}
